The (presumably ancient) code has a bug, though: it does not verify the syntax of the user name. RFC 959 specifies that a username may consist of a sequence of any of the 128 ASCII characters except
<LF>. Guess what the JRE implementers forgot? Exactly − to check for the presence of
<LF>. This means that if we put
%0D%0Aanywhere in the user part of the URL (or the password part for that matter), we can terminate the USER (or PASS) command and inject a new command into the FTP session.
So, if we send a
USERcommand to a mail server instead of a FTP server, it will answer with an error code (since
USERis not a valid SMTP command), but let us continue with our session. Combined with the bug mentioned above, this allows us to send arbitrary SMTP commands, which allows us to send emails.